Certificate and CRL Path Validation Error

All=2C

I am working in an environment utilizing a PKI consisting of several =

Root and Intermediate Certificate Authorities In order to reduce the =

overhead when requiring client authentication using digital =

certificates=2C I am using the following two directives=3A

SSLCACertificatePath =96 Used for Root and Intermediate CAs
SSLCARevocationPath =96 Used to Process Certificate Revocation Lists

I=92ve yet to encounter a version of Apache and Mod=5FSSL performing prop=
er =

path validation If a user presents a certificate that is revoked=2C bu=
t =

not included in the directory containing all the PEM/Base64 encoded CRL =

files and associated symbolic links=2C Apache allows access =


If a user presents a certificate issued from an Intermediate =

Certificate Authority that is not included in the directory containing =

all the Root and Intermediate CA certificates in PEM/Base64 encoded =

format and associated symbolic links=2C he/she is allowed access

I would prefer the system to validate the entire chain and not allow =

access in the event a local CRL file or Intermediate CA certificate is =

not available By default=2C IIS performs this path validation correctl=
y =

If IIS does not have a current CRL file issued by each and every CA in =

the certificate path=2C the client is denied access If IIS does not ha=
ve =

a certificate from each and every CA in the certificate path=2C the =

client is denied access

I am trying to automate the process of updating the CA certificate =

directory and associated CRL directories by scheduling a job to run on =

a nightly basis If Apache has a local CRL and CA certificate from each=
=

and every CA in the path used to issue the client certificates=2C then =

all checks are performed and the client is properly validated =


I would prefer the system default to =93Closed=94 instead of =93Open=94 i=
n the =

event an Intermediate CA certificate is unavailable or no CRL file is =

available Again=2C the system must have at least one CA certificate =

trusted and available locally=2C but no CRL files

Note=3A I have issued a client certificate from a client certificate =

issued by on of the Intermediate CAs and Apache does deny access =

because the key usage of the client certificate does not allow it to be =

used as a Root CA and issue additional client certificates I used =

OpenSSL in order to issue client certificates from a client =

certificate This type of path validation seems to work on all the =

versions of Apache and Mod=5FSSL I=92ve tested

Thanks
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Certificate and CRL Path Validation Error

Hi There:

The limitations of mod_ssl for path validation are further than what you ha=
ve=20
described, in that it also cannot perform policy mapping up the entire=20
certificate chain, and also has no concept of how to deal with AIA or SIA=20
fields. I'm not sure where the developers are in terms of full RFC 3280 Pat=
h=20
Validation compliance, but as we also have a need for more full path=20
validation, especially a model that will work in a Cross-Certification type=
=20
environment.

It is our intent to be starting to work on this this fall, unless we hear f=
rom=20
the community that there is already work underway to add in full 3280=20
validation to mod_ssl.

(I'll probably take this over to modssl-devel, but since you asked, I thoug=
ht=20
that I would bring it up here.)

Cheers.

On Thursday 31 August 2006 08:53, rlabbe@satx.rr.com wrote:
> All,
>
> I am working in an environment utilizing a PKI consisting of several
> Root and Intermediate Certificate Authorities. In order to reduce the
> overhead when requiring client authentication using digital
> certificates, I am using the following two directives:
>
> SSLCACertificatePath =96 Used for Root and Intermediate CAs
> SSLCARevocationPath =96 Used to Process Certificate Revocation Lists
>
> I=92ve yet to encounter a version of Apache and Mod_SSL performing proper
> path validation. If a user presents a certificate that is revoked, but
> not included in the directory containing all the PEM/Base64 encoded CRL
> files and associated symbolic links, Apache allows access.
>
> If a user presents a certificate issued from an Intermediate
> Certificate Authority that is not included in the directory containing
> all the Root and Intermediate CA certificates in PEM/Base64 encoded
> format and associated symbolic links, he/she is allowed access.
>
> I would prefer the system to validate the entire chain and not allow
> access in the event a local CRL file or Intermediate CA certificate is
> not available. By default, IIS performs this path validation correctly.
> If IIS does not have a current CRL file issued by each and every CA in
> the certificate path, the client is denied access. If IIS does not have
> a certificate from each and every CA in the certificate path, the
> client is denied access.
>
> I am trying to automate the process of updating the CA certificate
> directory and associated CRL directories by scheduling a job to run on
> a nightly basis. If Apache has a local CRL and CA certificate from each
> and every CA in the path used to issue the client certificates, then
> all checks are performed and the client is properly validated.
>
> I would prefer the system default to =93Closed=94 instead of =93Open=94 i=
n the
> event an Intermediate CA certificate is unavailable or no CRL file is
> available. Again, the system must have at least one CA certificate
> trusted and available locally, but no CRL files.
>
> Note: I have issued a client certificate from a client certificate
> issued by on of the Intermediate CAs and Apache does deny access
> because the key usage of the client certificate does not allow it to be
> used as a Root CA and issue additional client certificates. I used
> OpenSSL in order to issue client certificates from a client
> certificate. This type of path validation seems to work on all the
> versions of Apache and Mod_SSL I=92ve tested.
>
> Thanks
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

=2D-=20
Patrick Patterson
President and CEO
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Certificate and CRL Path Validation Error

On Thursday 31 August 2006 09:14, Patrick Patterson wrote:

> (I'll probably take this over to modssl-devel, but since you asked, I
> thought that I would bring it up here.)
>

Hmm - I thought there WAS a developers mailing list, but apparently I was
mistaken - so I guess I have to ask is this the right place to have
discussions about the best way to add in the capability for mod_ssl to do
full 3280 path validation?

Thanks.

--
Patrick Patterson
President and CEO
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Certificate and CRL Path Validation Error

On Thu, Aug 31, 2006 at 09:17:10AM -0400, Patrick Patterson wrote:
> On Thursday 31 August 2006 09:14, Patrick Patterson wrote:
>
> > (I'll probably take this over to modssl-devel, but since you asked, I
> > thought that I would bring it up here.)
> >
>
> Hmm - I thought there WAS a developers mailing list, but apparently I was
> mistaken - so I guess I have to ask is this the right place to have
> discussions about the best way to add in the capability for mod_ssl to do
> full 3280 path validation?

New mod_ssl development generally happens in the httpd 2.x tree, so
dev@httpd.apache.org is where it is discussed. I don't think Ralf is
adding new features to mod_ssl 2.8 any more.

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org